Inside the mind of a hacker

Whether cracking digital security for good or ill, hackers tend to be people who are manipulative, deceitful, exploitative, cynical and insensitive, according to research from the School of Management.

Recently presented at the Hawaii International Conference on System Sciences, the study analyzed the psychological profiles of college students in computer science and management to see which personality traits led to three different kinds of computer hacking: white hat, gray hat and black hat.

White hats are the ethical hackers, who help organizations detect and fix their security vulnerabilities. Gray hats are the “hacktivists,” who hack for ideological reasons, such as attacking a political adversary, a company policy or even a nation-state. And black hat hackers, sometimes called crackers, are motivated by personal gain to breach computer systems — or may just be in it for the thrill of the attack, revenge or notoriety.

“Gray hatters oppose authority, black hatters are thrill-seeking and white hatters — the good guys — tend to be narcissists,” says co-author Lawrence Sanders, professor of management science and systems. “So even though white hats may be devious and psychopathic, we need them to address nefarious hacking activity.”

The researchers surveyed 439 college sophomores and juniors to determine their personality traits, and developed a set of scales to determine the three hat categories, as well as a scale to measure each person’s perception of the probability of being caught for violating privacy laws.

“Engaging in criminal activity involves a choice where there are consequences and opportunities, and individuals perceive them differently,” says lead author Joana Gaia, clinical assistant professor of management science and systems. “But, they can be deterred if there is a likelihood of punishment — and the punishment is severe.”

The results of the study suggest that security compliance will continue to be a problem, but there are several ways businesses and organizations can reduce the impact or prevent security breaches.

“Firms can use monitoring technology and multifactor authentication to prevent unauthorized access to physical and digital spaces,” says Gaia. “Organizations could use personality traits to evaluate employees as security threats, but that should be approached cautiously for practical, ethical and privacy reasons.”

Sanders and Gaia collaborated on the study with UB colleagues Bina Ramamurthy, teaching professor of computer science and engineering; Shambhu Upadhyaya, professor of computer science and engineering; UB PhD students Sean Patrick Sanders and Xunyi Wang; and Chul Woo Yoo, assistant professor of information technology and operations management at the Florida Atlantic University College of Business.